In past, researchers have found various XSS (cross-site scripting) vulnerabilities in Google services allowing hackers to gain un-authorized access to users accounts which are now patched, but in an entirely new type of "Frame Injection Vulnerability" found by Adrian Pastor of the GNUCitizen, the researcher displayed how attackers can create authentic-looking spoof pages meant to steal user login information, the exploit allows attackers to inject third-party content into Google pages bypassing phising filters.

Adrian posted proof-of-concept (do not enter any login info here) of this new exploit allowing him to inject fake Gmail login frame inside Google pages hosted on mail.Google.com domain, the result page looks legitimate as the domain displayed in user address bar is mail.google.com increasing the hackers chances of getting the login data.